Coming into Patch Tuesday we have a known zero day on the Microsoft side, and we’ve seen example code for an SMB exploit that could lead to DoS and BYOD of a system.
US CERT recommends blocking outbound SMB connections until an update is in place. This would include blocking TCP ports 139 and 445 along with UDP ports 137 and 138 from the local network to the wide area network.
Laurent Gaffié, the researcher who discovered the vulnerability has released the exploit code on GitHub, which many have called an irresponsible move, but he suggested that the responsibility lies with Microsoft.
“If I’m not rewarded in any way for the free work I’m doing for this multi-billion company, why should I tolerate them sitting on my bugs?” he said.
While Gaffié’s research has uncovered a serious issue he has done a disservice to all of us by publishing his findings before Patch Tuesday. There have been a few occurrences of other research teams like Google disclosing vulnerabilities with a fix coming less than week later on Microsoft’s regular Patch Tuesday release.
Gaffié could have at least waited until Patch Tuesday as a courtesy to the rest of us.
The pros and cons of the cumulative rollup model
Playing devil’s advocate, if Microsoft could have had an update available to plug this vulnerability sooner would they have done so? Or is their new update model going to act a sea anchor to reactivity?
I have had conversations with a number of security researchers and we have debated the positives and negatives of the cumulative rollup model that Microsoft has shifted all OS and IE updates to this new model. Arguably, they have made themselves slower to react to a zero day like this, as an individual update can be rolled out quickly.
Changes to the security bulletin pages
Aside from the zero day, we have another significant change coming from Microsoft this month. The security bulletin pages are going away. They announced that the bulletin pages will be replaced by the security updates guide or by using a REST API to get access to content directly.
Currently, you get less information than the bulletin pages, but as they transition I am hopeful that the detailed vulnerability data found in the bulletin pages will also transition. There are a lot of key indicators of risk buried in those bulletin pages that we as an industry can use to better prioritize risk and potential impact of delaying an update.